Top takeaways

• ‍The behavioral backslide‍
  
  • MFA awareness climbed from 52% to 77% since 2021 — but regular usage collapsed from 94% in 2022 to just 53% in 2025
    
  • People who 'always' install software updates immediately dropped from 44% to 31% over five years
  • Despite stable confidence in spotting threats, those who 'always' check for phishing signs fell from 51% to 36%

• ‍The psychological shift‍
  
  • People overwhelmed by security information to the point of inaction rose from 34% to 43% in just three years
  • The 'my data's already out there' fatalism surged from 22% in 2023 to 34% in 2025
    
  • Over half (53%) now see cost as a major barrier to security — up from 43% in 2021

• ‍The real-world cost‍
  
  • Overall cybercrime victimization has risen from 34% in 2021/2022 to 44% in 2025

...and much more — including five years of trend data on the growing distance between what people know and what they actually do.

‍

Report summary

We've known for years that people understand the risks. So why are they protecting themselves less than they did in 2021?

After five years of awareness campaigns, training programmes, and breach headlines – the gap between knowledge and action is getting wider, not narrower.

CybSafe and the National Cybersecurity Alliance's Oh, Behave! 5-Year Behavioral Trends Report maps exactly how human cyber risk has shifted since 2021. Drawing on data from thousands of participants across the globe, it reveals the forces quietly reshaping our relationship with online security: rising fatalism, growing overwhelm, and a deepening sense that staying secure just isn't worth the effort.

The findings are urgent. And actionable.

‍

This report covers:

• Five years of trend data on MFA adoption, phishing vigilance, and update behaviour
• The psychological barriers driving the knowledge-action gap
• What organizations, policy makers, and practitioners can do to reverse the trend

‍

This report is for:

• Security awareness & human risk management professionals
• CISOs, CTOs, and CIOs
• IT Directors, IT Managers, and Data Protection Officers
• Anyone running security awareness or human risk management programmes

‍

Authors

Dr Suzie Dobrontei

Behavioral Scientist, CybSafe

‍

Suzie is a chartered social psychologist, tech enthusiast, former university lecturer, and CybSafe Behavioral Scientist.

She’s researched and taught social processes, group dynamics and human factors in cyber security for eight years.

Suzie is the lead author for The Annual Cybersecurity Attitudes and Behaviors Report 2025-2026.

‍

‍

‍

Dr Jason Nurse

Director of Science and Research, CybSafe

‍

Jason is the Director of Science & Research at CybSafe, and an Associate Professor in Cyber Security at the University of Kent.

At CybSafe, Dr Nurse leads a team of behavioral scientists and researchers responsible for ensuring that the company’s product is grounded in scientific evidence and empowers users to make smarter security decisions and build better habits.

‍

‍

Liza Plaggemier

Executive Director, The National Cybersecurity Alliance

‍

Lisa Plaggemier is Executive Director at the National Cybersecurity Alliance. She is a recognized thought leader in security awareness and education with a track record of engaging and empowering people to protect themselves, their families, and their organizations.

Lisa has worked as an international marketer with Ford Motor Company, Director of Security Culture, Risk and Client Advocacy for CDK Global, Chief Evangelist at InfoSec, and Chief Strategy and Marketing Officer at MediaPRO.

‍

‍

‍Oz Alashe MBE

CEO & Founder, CybSafe

‍

Oz leads CybSafe. He has been the driving force behind CybSafe – the concept, vision and platform.

A former UK Special Forces Lieutenant Colonel, Oz is focused on making society more secure by helping organizations address the human aspect of cyber security.

‍

‍